search

Inventory Scanner Configuration

The Inventory Scanner is configured in the YAML file conf/xygeni.inventory.yml.

The file contains properties to specify:

  • Files to include/exclude. Defaults are provided for common directories to ignore.

  • Configuration for report output, including the columns/fields to render.

  • Configuration for each ecosystem analyzer.

  • Scan configuration properties like mode = sequential or parallel. Parallel model utilizes threads to run the scan in parallel across files and detectors.

circle-info

Command line arguments have priority over configuration properties in this file.

# Configuration for xygeni Assets Inventory scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/locales/**/*"
  - "**/spec/**/*"
  - "**/specs/**/*"
  - "**/test/**/*"
  - "**/tests/**/*"
  - "**/mock/**/*"
  - "**/mocks/**/*"
  - "**/integration/**/*"
  - "**/node_modules/**/*"
  - "**/bower_components/**/*"
  - "**/.xygeni.*.json"
  
# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: parallel

# Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout.
timeout: 600

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: csv

    # Allowed values: "id", "kind", "scope", "name", "qualifiedName", "belongsTo", "fullyResolved", "path", "createdAt", "updatedAt", "tags", "properties"
    columns: [ "kind", "name", "qualifiedName", "belongsTo", "fullyResolved", "path", "createdAt", "updatedAt", "tags", "properties"]

    # Order specification. 'default' lists by kind first, then by name.
    # One of 'default' or 'id'.
    sort: default

  - format: text

    # Allowed values: "id", "kind", "scope", "name", "qualifiedName", "belongsTo", "fullyResolved", "path", "createdAt", "updatedAt", "tags", "properties"
    columns: [ "kind", "name", "belongsTo", "tags" ]

    # Order specification. 'default' lists by kind first, then by name.
    # One of 'default' or 'id'.
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for discovering SDLC assets
# are configured in resource files under inventory/*.yml

# List of detectors to run: IDs.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []

hashtag
Inventory Assets Detectors Configuration

Assets from various ecosystems are managed by each designated detector. These detectors handle relevant files and other sources, and can invoke an API, if available, to gather more details about the asset.

The following ecosystems are supported:

  • Source Code Management (SCM) systems: GitHub, Azure Devops, BitBucket, GitLab.

  • Dependencies Management systems for multiple language ecosystems, including Package managers and Component Registries like NPM, Maven, Gradle, Bower, Nuget, pip, go.mod, RubyGems, PHP Composer, Swift Package Manager, CocoaPods, Carthage, Cargo, etc.

  • CI/CD tools: The systems provided by the SCM systems listed above plus specialized CI/CD systems like Jenkins, CircleCI or Travis CI.

  • Security tools: A variety of security tools, configured in the xygeni.security_tools.yml file.

  • Cloud assets include technologies like containers, container orchestrators, and Infrastructure-as-Code (IaC) frameworks. Examples are Dockerfiles, docker-compose, Kubernetes, Terraform, Bicep, Azure Resource Manager, CloudFormation, and Ansible.

  • Collaborators: it is not active by default. See how Inventory Collaborators Scan can be run and what organization assets are gathered.

PreviousInventory ScannerNextInventory Collaborators Scan

Last updated